New Data Breach Notification Requirements for Non-Banking Financial Institutions: Key Details and Compliance Steps

Beginning May 11, 2024, non-banking financial institutions regulated by the Federal Trade Commission (FTC) will face new requirements regarding data breaches and security events impacting consumers. The FTC has issued a final rule amending its Safeguards Rule to include a notification requirement for incidents affecting 500 or more consumers. These notifications will be entered into a publicly available database for transparency.

Key requirements of the revised Safeguard Rule include the types of institutions that need to report, the timeline for reporting, the method of reporting to the FTC, and the information that needs to be included in the notification. Covered entities must report any unauthorized acquisition of unencrypted customer information as soon as possible, but no later than 30 days after discovery.

The Rule specifies that notifications must include the name and contact information of the reporting institution, a description of the information involved, the date of the event, the number of affected consumers, and more. Law enforcement officials may request a delay in notification for up to 30 days, with the possibility of an additional 60-day extension if necessary for a criminal investigation or national security concerns.

The Rule will go into effect on May 11, 2024, giving institutions 180 days from the publication of the Rule in the Federal Register to prepare for compliance. Covered institutions are advised to review their incident response plans and security programs to ensure they meet the new notification requirements. The FTC’s focus on security and privacy enforcement underscores the importance of compliance with the Safeguards Rule and other regulations.

As the deadline approaches, financial institutions should take steps to enhance their privacy and security programs to meet the new requirements. Monitoring developments in this space and seeking assistance from cybersecurity and data protection experts can help institutions navigate the changing regulatory landscape effectively.